func setupAdmissionTest(t *testing.T, setupConfig func(*configapi.MasterConfig)) (*kclient.Client, *client.Client) {
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
setupConfig(masterConfig)
kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client: %v", err)
}
openshiftClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting openshift client: %v", err)
}
return kubeClient, openshiftClient
}
func setupAuditTest(t *testing.T) (*kclient.Client, *client.Client) {
testutil.RequireEtcd(t)
masterConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("error creating config: %v", err)
}
masterConfig.AuditConfig.Enabled = true
kubeConfigFile, err := testserver.StartConfiguredMasterAPI(masterConfig)
if err != nil {
t.Fatalf("error starting server: %v", err)
}
kubeClient, err := testutil.GetClusterAdminKubeClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting client: %v", err)
}
openshiftClient, err := testutil.GetClusterAdminClient(kubeConfigFile)
if err != nil {
t.Fatalf("error getting openshift client: %v", err)
}
return kubeClient, openshiftClient
}
func TestAuthProxyOnAuthorize(t *testing.T) {
idp := configapi.IdentityProvider{}
idp.Name = "front-proxy"
idp.Provider = runtime.EmbeddedObject{&configapi.RequestHeaderIdentityProvider{Headers: []string{"X-Remote-User"}}}
idp.MappingMethod = "claim"
masterConfig, err := testserver.DefaultMasterOptions()
checkErr(t, err)
masterConfig.OAuthConfig.IdentityProviders = []configapi.IdentityProvider{idp}
clusterAdminKubeConfig, err := testserver.StartConfiguredMasterAPI(masterConfig)
checkErr(t, err)
clusterAdminClientConfig, err := testutil.GetClusterAdminClientConfig(clusterAdminKubeConfig)
checkErr(t, err)
clusterAdminClient, err := testutil.GetClusterAdminClient(clusterAdminKubeConfig)
checkErr(t, err)
// set up a front proxy guarding the oauth server
proxyHTTPHandler := NewBasicAuthChallenger("TestRegistryAndServer", validUsers, NewXRemoteUserProxyingHandler(clusterAdminClientConfig.Host))
proxyServer := httptest.NewServer(proxyHTTPHandler)
defer proxyServer.Close()
t.Logf("proxy server is on %v\n", proxyServer.URL)
// need to prime clients so that we can get back a code. the client must be valid
result := clusterAdminClient.RESTClient.Post().Resource("oAuthClients").Body(&oauthapi.OAuthClient{ObjectMeta: kapi.ObjectMeta{Name: "test"}, Secret: "secret", RedirectURIs: []string{clusterAdminClientConfig.Host}}).Do()
checkErr(t, result.Error())
// our simple URL to get back a code. We want to go through the front proxy
rawAuthorizeRequest := proxyServer.URL + origin.OpenShiftOAuthAPIPrefix + "/authorize?response_type=code&client_id=test"
// the first request we make to the front proxy should challenge us for authentication info
shouldBeAChallengeResponse, err := http.Get(rawAuthorizeRequest)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
if shouldBeAChallengeResponse.StatusCode != http.StatusUnauthorized {
t.Errorf("Expected Unauthorized, but got %v", shouldBeAChallengeResponse.StatusCode)
}
// create an http.Client to make our next request. We need a custom Transport to authenticate us through our front proxy
// and a custom CheckRedirect so that we can keep track of the redirect responses we're getting
// OAuth requests a few redirects that we don't really care about checking, so this simpler than using a round tripper
// and manually handling redirects and setting our auth information every time for the front proxy
redirectedUrls := make([]url.URL, 10)
httpClient := http.Client{
CheckRedirect: getRedirectMethod(t, &redirectedUrls),
Transport: ktransport.NewBasicAuthRoundTripper("sanefarmer", "who?", insecureTransport()),
}
// make our authorize request again, but this time our transport has properly set the auth info for the front proxy
req, err := http.NewRequest("GET", rawAuthorizeRequest, nil)
_, err = httpClient.Do(req)
if err != nil {
t.Errorf("Unexpected error: %v", err)
}
// check the last redirect and see if we got a code
foundCode := ""
if len(redirectedUrls) > 0 {
foundCode = redirectedUrls[len(redirectedUrls)-1].Query().Get("code")
}
if len(foundCode) == 0 {
t.Errorf("Did not find code in any redirect: %v", redirectedUrls)
} else {
t.Logf("Found code %v\n", foundCode)
}
}
func TestCachingDiscoveryClient(t *testing.T) {
testutil.RequireEtcd(t)
defer testutil.DumpEtcdOnFailure(t)
_, originKubeConfig, err := testserver.StartTestMasterAPI()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
originClient, err := testutil.GetClusterAdminClient(originKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
resourceType := "buildconfigs"
originDiscoveryClient := client.NewDiscoveryClient(originClient.RESTClient)
originUncachedMapper := clientcmd.NewShortcutExpander(originDiscoveryClient, nil)
if !sets.NewString(originUncachedMapper.All...).Has(resourceType) {
t.Errorf("expected %v, got: %v", resourceType, originUncachedMapper.All)
}
cacheDir, err := ioutil.TempDir("", "TestCachingDiscoveryClient")
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
defer func() {
if !t.Failed() {
os.RemoveAll(cacheDir)
}
}()
// this client should prime the cache
originCachedDiscoveryClient := clientcmd.NewCachedDiscoveryClient(originDiscoveryClient, cacheDir, time.Duration(10*time.Minute))
originCachedMapper := clientcmd.NewShortcutExpander(originCachedDiscoveryClient, nil)
if !sets.NewString(originCachedMapper.All...).Has(resourceType) {
t.Errorf("expected %v, got: %v", resourceType, originCachedMapper.All)
}
// this client will fail if the cache fails
unbackedDiscoveryClient := clientcmd.NewCachedDiscoveryClient(nil, cacheDir, time.Duration(10*time.Minute))
unbackedOriginCachedMapper := clientcmd.NewShortcutExpander(unbackedDiscoveryClient, nil)
if !sets.NewString(unbackedOriginCachedMapper.All...).Has(resourceType) {
t.Errorf("expected %v, got: %v", resourceType, unbackedOriginCachedMapper.All)
}
atomicConfig, err := testserver.DefaultMasterOptions()
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
atomicConfig.DisabledFeatures = configapi.AtomicDisabledFeatures
atomicConfig.DNSConfig = nil
atomicKubeConfig, err := testserver.StartConfiguredMasterAPI(atomicConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
atomicClient, err := testutil.GetClusterAdminClient(atomicKubeConfig)
if err != nil {
t.Fatalf("unexpected error: %v", err)
}
atomicDiscoveryClient := client.NewDiscoveryClient(atomicClient.RESTClient)
atomicUncachedMapper := clientcmd.NewShortcutExpander(atomicDiscoveryClient, nil)
if sets.NewString(atomicUncachedMapper.All...).Has(resourceType) {
t.Errorf("expected no %v, got: %v", resourceType, atomicUncachedMapper.All)
}
// this client will give different results if the cache fails
conflictingDiscoveryClient := clientcmd.NewCachedDiscoveryClient(atomicDiscoveryClient, cacheDir, time.Duration(10*time.Minute))
conflictingCachedMapper := clientcmd.NewShortcutExpander(conflictingDiscoveryClient, nil)
if !sets.NewString(conflictingCachedMapper.All...).Has(resourceType) {
t.Errorf("expected %v, got: %v", resourceType, conflictingCachedMapper.All)
}
// this client should give different results as result of a live lookup
expiredDiscoveryClient := clientcmd.NewCachedDiscoveryClient(atomicDiscoveryClient, cacheDir, time.Duration(-1*time.Second))
expiredAtomicCachedMapper := clientcmd.NewShortcutExpander(expiredDiscoveryClient, nil)
if sets.NewString(expiredAtomicCachedMapper.All...).Has(resourceType) {
t.Errorf("expected no %v, got: %v", resourceType, expiredAtomicCachedMapper.All)
}
}